The SonicWall Capture Labs Threat Research Team observed new malware
Called OlympicDestroyer [OlympicDestroyer.A].

The Winter Olympics this year is being held in Pyeongchang, South Korea and OlympicDestroyer malware was designed to knock computers
offline by deleting critical system files, which would render the machines
useless. This Malware was used in an attack on the opening ceremony of the
Pyeongchang Winter Games.

Infection Cycle:

The Malware adds the following files to the system:

Malware.exe

%Userprofile%\windows\AppData\Local\Temp\_ail.exe

%Userprofile%\windows\AppData\Local\Temp\_cqk.exe

%Userprofile%\windows\AppData\Local\Temp\_lew.exe

%Userprofile%\windows\AppData\Local\Temp\mbxve.exe

%Userprofile%\Public\19D132B60A21D68CFAC81B1BD252C965

Once the computer is compromised, the Malware runs the following commands:

The Malware overwrites the computer's partition table to avoid targets to
recover their system drive, thereby making the infected machine unusable:

The malware deletes all shadow copies on the system using vssadmin tool:

The malware deletes all Web admin backup files on the target system:

The malware wipes all available logs of the System Security windows event log to ensure that recovery
is extremely difficult:

The Malware drops two VBS files on the target system and execute it via
VBScript tool:

The credentials embedded in the malware sample indicate that the Olympics
IT providers was likely compromised by the same hackers that ultimately hit
the Winter Olympics. It remains unclear how hackers were able to steal so
much information from Olympics employees, Here are some examples of
embedded credentials:

After this Malware runs the above commands its deletes itself using
injected shellcode in a legitimate copy of notepad.exe, the malware writes
shellcode in the allocated memory through WriteProcessMemory and it creates
a remote thread for its execution via CreateRemoteThread function. The
injected notpad.exe waits until the sample terminates, and then deletes it.

Sonicwall Capture Labs provides protection against this threat via the
following signature: